Recently, I posted an article/blog on the Medium platform, titled, "Passwords are Passe" (https://email@example.com/passwords-are-passe-d93565b48c99) in response to an article featured in the Wall Street Journal. The topic of my post is about the future of passwords and how new technology would change the 'face' of how we will access our computers and systems. I am providing a repost of that blog article below.
A recent article in the Wall Street Journal entitled “The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!” provided information about National Institute of Standards and Technology’s revamped advice for creating passwords. It referenced a new guideline for password creation, favoring long, easy-to-remember phrases over a mixture of capital letters, numbers and symbols. However, the article does not provide enough to help readers stay safe; in fact, the guideline is behind the times and dated.
Any password of less than 8 characters can be broken. Passwords can be guessed or identified through brute force, shared, or stolen. The usual attack stages are identification of target, reconnaissance, intrusion, doing damage, covering up. Since attackers use passwords to break through company security, companies have responded by making passwords more complex (e.g., with capitals, numbers, and special characters). However, with the tools now available, such as dictionaries of passwords and password breaking code, complexity is now much easier to break, often too easy for many hackers.
Biometrics, on the other hand, cannot be lost or forgotten, and are difficult to copy or share. Biometrics are not only more secure because each person has unique characteristics, but they are simpler. They can be based on behavioral aspects, such as gait, signature, typing patterns, and voice. They can also be based on physiological aspects, such as facial characteristics, fingerprints, and hand geometry, or even retina and iris. Biometrics, which have been used for years by governments, are now used by the business world and have entered the consumer marketplace. Recent implementations have been at banks, which employ voice authentication, facial recognition, eye scans, fingerprints, and even behavior on the phone or keyboard. And with advances in consumer devices, the public has access to cheap and reliable biometric tools, solving the problem of weak passwords which can enable unauthorized system access.
Case in point, where consumer biometrics is in full tilt, is Aetna, which last month announced that it has turned to authentication through behavior-based security. Aetna has made passwords optional. It allows customers to choose which biometric factors they prefer on their device and use that for authentication through a risk engine. As the chief security officer at Aetna mentioned in publications, “The risk engine is using unsupervised machine learning to match attributes to the existing model, so the more data provided into a model the better it performs over time. Therefore, the more often the consumer uses the application, the more effectively the risk engine performs.”
New types of biometrics are in play as well, including ear, odor, and skull recognition. Yes, odor is now being used for biometric authentication. Wearable technologies can also be used to identify unique health-related patterns, such as EKG or EEG. Some people are exploring a Type 4 authentication method that asks "what are you doing". Finally, DNA authentication is on the horizon, but not yet ready for use.
Granted, not all biometric authentication is available to the consumer, but with companies like Aetna proving biometric authentication can be used for the public, or apple and mobile companies utilizing fingerprint sensors to authenticate users, it is clear passwords of any kind, nonsensical or real, lengthy, complex, compressed, or any combination, are truly a thing of the past - or will be very soon.
Given that innovation and evolution are happening around us, we should focus on opportunities of the future and incorporate technology such as biometrics into security for things that matter most -- such as in the home, workplace, banking, and private information – and not about a move toward a more sensible password.